For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

player_72606's avatar
player_72606
Icon for Nimbostratus rankNimbostratus
Jun 29, 2014

randomize snat

Hi all,   i need to create nat and randomize using multiple /28 subnets, i have created data group to contain the subnets , how can i randomize the nat selection - i saw that we can use the "rand"...
application delivery
devops
iRules
nitass's avatar
nitass
Icon for Employee rankEmployee
Jun 29, 2014

not sure if i understand correctly. anyway, this is my testing.

snat_list is string data group containing snat ip subnet. please be noted that server has to route return traffic back to bigip.

 config

root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm virtual bar
ltm virtual bar {
    destination 172.28.24.10:80
    ip-protocol tcp
    mask 255.255.255.255
    pool foo
    profiles {
        tcp { }
    }
    rules {
        qux
    }
    source 0.0.0.0/0
    vs-index 41
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm pool foo
ltm pool foo {
    members {
        200.200.200.101:80 {
            address 200.200.200.101
        }
    }
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm data-group internal snat_class
ltm data-group internal snat_class {
    records {
        192.168.1.16/255.255.255.240 { }
        192.168.2.32/255.255.255.248 { }
    }
    type string
}
root@(ve11a)(cfg-sync In Sync)(Active)(/Common)(tmos) list ltm rule qux
ltm rule qux {
proc ip2int { ip } {
  set octets [split $ip .]
  set ipint [expr {(256 * 256 * 256 * [lindex $octets 0]) + (256 * 256 * [lindex $octets 1]) + (256 * [lindex $octets 2]) + [lindex $octets 3]}]
  return $ipint
}
proc random { max } {
  return [expr {int(rand()*($max+1))}]
}
when RULE_INIT {
  set static::snat_list {}
  foreach elm [class get snat_class] {
    scan [lindex $elm 0] {%[^/]/%s} ip mask
    set st [IP::addr $ip mask $mask]
    set num [expr {[call ip2int 255.255.255.255] - [call ip2int $mask] + 1}]
    for {set i 0} {$i < $num} {incr i} {
      set t [expr {[call ip2int $ip] + $i}]
      lappend static::snat_list [IP::addr parse -ipv4 [binary format I $t]]
    }
  }
  set static::snat_len [llength $static::snat_list]
  unset elm ip mask st num i t
}
when CLIENT_ACCEPTED {
  snat [lindex $static::snat_list [call random $static::snat_len]]
}
}

 trace

[root@ve11a:Active:In Sync] config  tcpdump -nni 0.0 -s0 'tcp[13] = 2'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on 0.0, link-type EN10MB (Ethernet), capture size 65535 bytes
06:47:31.432326 IP 172.28.24.1.48161 > 172.28.24.10.80: S 298963641:298963641(0) win 5840  in slot1/tmm1 lis=
06:47:31.434456 IP 192.168.1.22.48161 > 200.200.200.101.80: S 276765464:276765464(0) win 4380  out slot1/tmm1 lis=/Common/bar
06:47:31.513825 IP 172.28.24.1.48162 > 172.28.24.10.80: S 3119548056:3119548056(0) win 5840  in slot1/tmm0 lis=
06:47:31.515734 IP 192.168.2.33.48162 > 200.200.200.101.80: S 1647113171:1647113171(0) win 4380  out slot1/tmm0 lis=/Common/bar
06:47:31.567365 IP 172.28.24.1.48163 > 172.28.24.10.80: S 2523860699:2523860699(0) win 5840  in slot1/tmm1 lis=
06:47:31.568874 IP 192.168.1.26.48163 > 200.200.200.101.80: S 2322897545:2322897545(0) win 4380  out slot1/tmm1 lis=/Common/bar
06:47:31.596345 IP 172.28.24.1.48164 > 172.28.24.10.80: S 1548997994:1548997994(0) win 5840  in slot1/tmm0 lis=
06:47:31.602295 IP 192.168.2.36.48164 > 200.200.200.101.80: S 4150002812:4150002812(0) win 4380  out slot1/tmm0 lis=/Common/bar
06:47:31.619097 IP 172.28.24.1.48165 > 172.28.24.10.80: S 3701869019:3701869019(0) win 5840  in slot1/tmm1 lis=
06:47:31.620489 IP 192.168.1.28.48165 > 200.200.200.101.80: S 733377398:733377398(0) win 4380  out slot1/tmm1 lis=/Common/bar
06:47:31.677394 IP 172.28.24.1.48166 > 172.28.24.10.80: S 253426786:253426786(0) win 5840  in slot1/tmm0 lis=
06:47:31.678775 IP 192.168.1.26.48166 > 200.200.200.101.80: S 3356910604:3356910604(0) win 4380  out slot1/tmm0 lis=/Common/bar
06:47:31.702024 IP 172.28.24.1.48167 > 172.28.24.10.80: S 1614702065:1614702065(0) win 5840  in slot1/tmm1 lis=
06:47:31.703896 IP 192.168.1.29.48167 > 200.200.200.101.80: S 911342013:911342013(0) win 4380  out slot1/tmm1 lis=/Common/bar
06:47:31.709245 IP 172.28.24.1.48168 > 172.28.24.10.80: S 147699432:147699432(0) win 5840  in slot1/tmm0 lis=
06:47:31.710322 IP 192.168.1.16.48168 > 200.200.200.101.80: S 1159993457:1159993457(0) win 4380  out slot1/tmm0 lis=/Common/bar
06:47:31.748100 IP 172.28.24.1.48169 > 172.28.24.10.80: S 1848051608:1848051608(0) win 5840  in slot1/tmm1 lis=
06:47:31.749172 IP 192.168.1.29.48169 > 200.200.200.101.80: S 3736572387:3736572387(0) win 4380  out slot1/tmm1 lis=/Common/bar
06:47:31.780676 IP 172.28.24.1.48170 > 172.28.24.10.80: S 3760627980:3760627980(0) win 5840  in slot1/tmm0 lis=
06:47:31.781664 IP 192.168.2.33.48170 > 200.200.200.101.80: S 3107354337:3107354337(0) win 4380  out slot1/tmm0 lis=/Common/bar